droid

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). This skill's examples and usage (e.g., droid fill "Password" "secret123") instruct generating CLI commands that embed plaintext credentials directly, forcing the LLM to handle and output secret values verbatim.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). This skill pulls screenshots and the device UI XML from the connected Android device (see dumpUIHierarchy which pulls /sdcard/ui_dump.xml and screenshotCommand which pulls /sdcard/screenshot.png) and SKILL.md explicitly instructs the agent to "Read the screenshot image with Claude's Read tool" while the CLI uses element text from the UI dump to drive taps/fills/wait-for, so arbitrary third‑party app/web content on the device can influence tool actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.70). The droid CLI script auto-runs "bun install" at runtime (scripts/droid-cli/droid), which will fetch and install packages from the npm registry (e.g., https://registry.npmjs.org/) and thus downloads and enables execution of remote code that the skill requires.